# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later

{ config, lib, pkgs, ... }:
let
  cfg = config.sbruder.static-webserver;
in
{
  options.sbruder.static-webserver = {
    root = lib.mkOption {
      type = lib.types.str;
      default = "/var/www";
    };
    vhosts = lib.mkOption {
      type = lib.types.attrsOf (lib.types.submodule ({ name, vhostCfg, ... }: {
        options = {
          redirects = lib.mkOption {
            type = lib.types.listOf lib.types.str;
            default = [ "www.${name}" ];
          };
          root = lib.mkOption {
            type = lib.types.str;
            default = "${cfg.root}/${name}";
          };
          user = {
            name = lib.mkOption {
              type = lib.types.str;
            };
            keys = lib.mkOption {
              type = lib.types.listOf lib.types.str;
              default = config.sbruder.pubkeys.trustedKeys;
            };
          };
          imprint = {
            enable = lib.mkEnableOption "a location making the imprint available";
            location = lib.mkOption {
              type = lib.types.str;
              default = "/imprint/";
            };
          };
        };
      }));
      default = { };
    };
  };

  config = lib.mkIf (cfg.vhosts != { }) {
    users.users = lib.mapAttrs'
      (_: { user, root, ... }: lib.nameValuePair user.name {
        isSystemUser = true;
        group = user.name;
        shell = "/bin/sh";

        openssh.authorizedKeys.keys = map
          (key: "command=\"${pkgs.rrsync}/bin/rrsync -wo ${root}\",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ${key}")
          user.keys;
      })
      cfg.vhosts;
    users.groups = lib.mapAttrs' (_: { user, ... }: lib.nameValuePair user.name { }) cfg.vhosts;

    systemd.tmpfiles.rules = map
      ({ root, user, ... }: "d ${root} 0755 ${user.name} ${user.name} -")
      (lib.attrValues cfg.vhosts);

    services.nginx.virtualHosts = lib.attrsets.mergeAttrsList
      (lib.mapAttrsToList
        (primaryDomain: vhostCfg:
          ({
            ${primaryDomain} = lib.mkMerge [
              {
                enableACME = true;
                forceSSL = true;
                root = vhostCfg.root;
              }
              (lib.mkIf vhostCfg.imprint.enable {
                locations.${vhostCfg.imprint.location}.alias = "${pkgs.sbruder.imprint}/";
              })
            ];
          } // (lib.listToAttrs (map
            (domain: lib.nameValuePair domain {
              enableACME = true;
              forceSSL = true;
              globalRedirect = primaryDomain;
            })
            vhostCfg.redirects)))
        )
        cfg.vhosts);
  };
}